How to Create and Configure the Certificate

About the BA Insight Self-Signed Certificate Script
Script Operating System Support
Script Parameters
How to Create a Self-Signed Certificate

About the BA Insight Self-Signed Certificate Script

Use the script contained in the following zip file to create a self-signed certificate for use with BA Insight products: CreateSelfSignedCertificate.zip

Script Operating System Support

Note: The script uses PowerShell API which is only available in Windows 10+ or Windows Server 2016+.

If the API is not available, you receive a corresponding error message when running the script.

It is possible to use a certificate generated in Windows 10 or Windows Server 2016 on a server running Windows Server 2012 or older versions of Windows.

Script Parameters

The script supports the following parameters:

Parameter Type Description

Parameter	Type	Description
CertFriendlyName	String	Friendly name for the generated certificate. This value is used several times by the script: As Friendly Name metadata Provides context with details such as the source, type, owner, and relationships to other data sets. Metadata provides details around the item being crawled by Connectivity Hub. of the generated certificate As part of the subject for the generated certificate, so that it's possible to generate multiple certificates targeting A Target is a "pointer" to a specific instance of a search application, such as Elasticsearch. - (A Search application instance has one or more indexes) the same server As a name for the output files generated by the script Example value: "BA Insight Self-Signed Certificate"
IssuedTo	String	Name of the server the certificate will be installed to. The `issuedTo` has Multiple Options: This value is used in Issued To and Dns Name metadata of the generated certificate. Example Value: "myserver.mydomain.local" representing the name of the server Use the final Web Site Host Name Example Value: bainsightadd.mydomain.local In this example a DNS entry would require creation point to the server IP Address Alternatively a Host.ini record on the Server can be added in place of the DNS entry. Any client trying to access the Site would require a host.ini entry also Example value: "myserver.mydomain.local"

CertFriendlyName

String

Friendly name for the generated certificate.

This value is used several times by the script:

As Friendly Name metadata Provides context with details such as the source, type, owner, and relationships to other data sets. Metadata provides details around the item being crawled by Connectivity Hub. of the generated certificate
As part of the subject for the generated certificate, so that it's possible to generate multiple certificates targeting A Target is a "pointer" to a specific instance of a search application, such as Elasticsearch. - (A Search application instance has one or more indexes) the same server
As a name for the output files generated by the script

Example value: "BA Insight Self-Signed Certificate"

IssuedTo

String

Name of the server the certificate will be installed to.

The issuedTo has Multiple Options:

This value is used in Issued To and Dns Name metadata of the generated certificate.
- Example Value: "myserver.mydomain.local" representing the name of the server
Use the final Web Site Host Name
1. Example Value: bainsightadd.mydomain.local
2. In this example a DNS entry would require creation point to the server IP Address
3. Alternatively a Host.ini record on the Server can be added in place of the DNS entry.
4. Any client trying to access the Site would require a host.ini entry also

Example value: "myserver.mydomain.local"

How to Create a Self-Signed Certificate

The steps below describe how to use the BA Insight script to generate a self-signed certificate:

Download the script.
Extract the script file from the ZIP archive.
Start a PowerShell window as an Administrator.

It's important to run the script as an Administrator.
Navigate to the folder where the script is located by executing the following command in the PowerShell window:
```
cd "path_to_the_folder"
```

Run the script by executing the following command in the PowerShell window:

.\CreateSelfSignedCertificate.ps1 -CertFriendlyName "certificate_friendly_name" -IssuedTo "server_name"

When prompted, enter the password to be used as the key for the PFX file.
Sample script output is displayed in the screenshot below.
1. Copy the value listed under Subject from the script output for future reference:
After the script is finished, two files (CER and PFX) are output to the local directory where the script itself is stored.
These files are two different representations of the generated certificate:

CER file:
- Contains only the public key of the certificate and may be shared without any restrictions.
PFX file:
- Contains both public and private keys and is secured with the password provided during the script execution.
- The PFX file must be securely stored.

Note: Expiration time for the certificate generated by the script is set to 100 years from the time the certificate is created.

Important: The user account running the Microsoft Azure Blob Connector application pool, must have READ access to the Trusted Root Certificate store on the local machine.

This user account cannot be NetworkService Local account used by the service control manager. Not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. Has minimum privileges on the local computer and acts as the computer on the network..